If you are reading this Wordpress security article you may have already fallen victim to a hacked or spammed website if you haven’t been a victim yet , you have either been very lucky or don’t realise your site has already been hacked. In this article we are only going to cover a couple of basic changes you can make to make life more difficult for hackers and advise on how to keep one step ahead of a potential threat.
Please remember to back-up your database and files before attempting to make any major changes to your website security. If you are improving security after a attack you will need to change your WordPress Authentication Keys in your wp-config.php file.
Skill Level : Intermediate
Make sure that all of your plugins and core version of WordPress are upto date , if you are using a purchased theme this needs to be updated also.
Open your wp-config.php file and add the following lines:
<? // Turn on Automatic Updates by BWD Group // codex.wordpress.org/Configuring_Automatic_Background_Updates define('WP_AUTO_UPDATE_CORE', true); add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' ); ?>
To avoid possible WP-CLI conflicts it is recommended to only use add_filters in a custom plugin. WordPress has reserved the MU-PLUGIN to allow auto-loading of a plugin that cannot be disabled from the WP Dashboard.
By default WordPress allows the Administrator to modify both themes and plugins from the dashboard , this should be be disabled to prevent someone from changing your source code to execute server commands or to inject malware.
Open your wp-config.php file and add the following line:
<? // Disable Wordpress Theme or Plugin Editor by BWD Group define( 'DISALLOW_FILE_EDIT', true ); ?>
To prevent custom PHP code from being executed within your WordPress directories create a .htaccess file into the /wp-includes/ and /uploads/ folders and add the following line.
<Files *.php> deny from all </Files>
A simple change to your default username could prevent a brute force password attack on your website , WordPress does not allow you to modify the default admin username from the dashboard but this can be done by downloading a plugin called admin renamer extender
Once changed you will be automatically logged out of WordPress.
If you are really paranoid you can always limit the access by IP address that is if you have a fixed IP.
A high percentage of WordPress attacks originate from overseas and if you run a business in the UK you could lock out 99% of those foreign IP addresses.
For accurate and stable results we suggest that you pay for a updated IP database for just as little as $49.00 through IP2Location
* It is important to remember that if you need Google to crawl your website you will have to allow US based IP addresses to access your website.
It is almost impossible to make your website bullet-proof and with exploits and zero-day attacks a common occurrence for WordPress community its a good investment to purchase a premium security tool which will improve your chances of preventing a future attack.
We recommend both Sucuri and Wordfence for improving your website security , if your website has been hacked and you need a Malware clean up service and security audit please give us a call on 01204 235928